Why more transparency around cyber attacks is a good thing for everyone

Picture returning home from work only to discover your house has been broken into. Instead of alerting the authorities for help, you clean up quickly and pretend everything is fine, hoping no one finds out, without further investigation.

In the following week, your neighbor experiences a burglary, although you might not learn of it because they choose not to mention it. Moreover, the burglars could return to your home, as the unattended unlocked window remains accessible.

This scenario mirrors how incidents often unfold in cyber incidents, especially ransomware. Every successful cyber attack that is concealed without investigation or information sharing increases the likelihood of further attacks because no one benefits from the lessons it could teach. Paying a ransom in silence signals to criminals that such attacks yield success, which can encourage further incidents.

Thus, neglecting to conduct thorough investigations and sharing findings, particularly with those who can aid in mitigation efforts, will definitely not lead to a favorable outcome.

How to share?

We acknowledge that it is challenging for organizations to be candid about the traumatic experience of a cyber attack. However, secure and trusted environments exist for this purpose. The NCSC offers CISP to facilitate secure information sharing among organizations, as well as sector information exchanges (IEs) and other trusted groups. There may be additional forums available in your sector or region too.

Keeping your cyber incident confidential is beneficial only to the attackers.

If your organization suffers a cyber attack, notifying the NCSC or law enforcement allows access to valuable support resources. NCSC Incident Management’s responsibility includes providing direct support to affected organizations with national ramifications, collaborating with the designated incident response provider. We routinely manage cyber incidents and are here to help. Your confidentiality is respected, and we do not disclose information publicly or to regulators without your consent.

The NCSC also offers extensive communication assistance to help organizations navigate incidents, manage media representation, and maintain active communication. While we encourage transparency during incidents, the final decision is yours, and we will support you regardless.

Remember your regulatory obligations

The ICO’s role as the regulator is to provide guidance and support to regulated organizations and to enforce relevant regulations. Following an incident, we do not reveal any details other than confirming whether we have been informed about the incident. It’s critical to recognize that there may be legal requirements to report incidents (more information about your responsibilities, including a self-assessment tool, can be found on the ICO website).

In determining the regulatory response, it is vital to emphasize that we consider how proactive an organization is in seeking the appropriate support, which entails engaging with the NCSC and implementing their counsel. In our upcoming process review, we may clarify how much of a reduction in fines can be achieved when an organization proactively engages in the incident management process. Transparency is not just an ethical obligation; it also becomes a smart business approach.

Where public disclosure of incident information is necessary, we typically consult with the affected company in advance to avoid unexpected revelations.

In a ransomware attack, not only are your files and systems encrypted, but attackers often also steal data from your network and threaten to disclose it if you refuse to pay.

Paying the ransom quickly to obtain the decryption key and restore services may not always yield relief. Why is this the case?

• The decryption process can be drawn out and complicated. Attackers may inadvertently double-encrypt data, preventing decryption, or they may delete data that cannot be retrieved. In some scenarios, restoring from backups proved to be quicker than using the decryption key.

• Paying a ransom essentially means accepting a promise from criminals that they will decrypt your systems or refrain from leaking data. No guarantees exist, and recovering organizations are often targeted again. Estimates suggest that approximately one-third of all organizations affected by ransomware face another attack.

• By paying a ransom, you are rewarding the criminals for their efforts and increasing the likelihood of more attacks against different organizations, exacerbating the overall threat landscape.

• The ICO’s position indicates that paying ransoms doesn’t diminish risks for individuals, represents no mitigation under data protection law, and is not deemed a reasonable method of safeguarding data.

The stance of the NCSC, in conjunction with law enforcement, is that we do not promote, endorse, or encourage ransom payments. However, we recognize that unprepared organizations may feel that paying a ransom is the sole avenue of escape post-attack. Should that occur, we encourage continuous communication with the NCSC and law enforcement partners to understand how the breach occurred so that it can be prevented in the future.

Do not leave that window unguarded for a repeat visit.

It would be ideal if implementing our robust cyber security guidance ensured that your backups were securely offline, allowing for a smooth recovery if an unfortunate incident occurs.

However, the dimension of data extortion introduces significant complexity. Should attackers have access to sensitive data, they could threaten to leak it unless the ransom is paid.

This necessitates careful consideration regarding the data you possess and how you safeguard it.

Think of it as storing another person’s valuables in your home in a box labeled ‘valuable items inside!’ and leaving your window unlatched for thieves to enter. You are charged with the duty of protecting the sensitive data in your custody, which in this case, concerns others’ personal information.

Ensuring the security of people’s data is not just an ethical duty; it is a legal requirement per data protection law. Refer to the ICO’s security guidance for further insights.

You may not be able to ascertain from your logging data whether data was stolen. However, if there is even a possibility that an attacker accessed systems with your data, you should assume that it has been compromised. As the saying goes: absence of evidence isn’t evidence of absence.

The NCSC has encountered numerous instances where organizations hit by ransomware believed that their data was untouched, only to discover it appearing in a dark web leak weeks or months later. Seeking prompt assistance and maintaining open communication reduces the chances of unanticipated future data leaks.

From the ICO’s standpoint, it’s critical to reiterate that organizations have responsibilities under data protection law and other pertinent legislation, including NIS, to report incidents that meet specified thresholds. And regarding lack of evidence—is no indication of adequate technical security. Existing in blissful ignorance should not equate to compliance with data protection law.

This assumption is incorrect. A data breach is not the sole reason for fines, and leaking data does not guarantee a fine will be imposed. A personal data breach encompasses more than mere data loss; it includes unauthorized disclosure, destruction, alteration, or access to personal data. The ICO evaluates each case carefully; the context matters, and it isn’t purely about whether data was compromised.

The ICO acts fairly and proportionately, recognizing that enhancing organizations’ data protection practices serves the best interest of protecting people’s data. If significant, systemic, or neglectful actions that jeopardize personal data are identified, enforcement action may result. This is not a universal application, however.

The ICO acknowledges when organizations have worked diligently to comprehend what transpired and have learned from the experience. As mentioned earlier, if your organization informs the NCSC about the incident and can demonstrate compliance with their guidelines, it may positively influence our approach.

However, cyber gangs may tell you otherwise

Be aware that cybercriminals exploit the misconception that data breaches are the sole source of heavy fines. The NCSC has seen ransom messages stating things like: “The ransom is £50 million. If you pay, you’ll evade a regulatory fine of £600 million, which is 0.5% of your annual revenue.” Do not fall prey to their tactics! Seek guidance and communicate early to circumvent future investigations due to attempts to conceal incidents.

We hope this article encourages you to understand the importance of openness in the aftermath of unfortunate incidents.

Seeking support and maintaining transparent communication with the NCSC and ICO after an incident only serves to benefit you. Sharing information about the attack with your trust communities later can ultimately enhance the threat landscape for all.

And it’s not just us; others share the same sentiment. In the United States, CISA Director Jen Easterly has written about how the reluctance to report to government fosters a downward spiral, while Google’s President of Global Affairs emphasizes the need to ‘embed transparency‘ within cybersecurity responses.

Ensure that cybersecurity lessons are learned to protect yourself and help prevent future attacks for all. Remember that the cyber incident reporting service aids UK organizations in accessing necessary support when required.

Eleanor Fairford, NCSC’s Deputy Director for Incident Management

Mihaela Jembei, ICO’s Director of Regulatory Cyber